Popular password manager LastPass has issued a security notice warning users about “suspicious activity” on their network. Specifically, while the company claims its investigation shows no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed, intruders did make off with account email addresses, password reminders, server per user salts, and authentication hashes. Time to change your master passwords.

According to Joe Siegrist, CEO and co-founder LastPass, the authentication hashes should be sufficiently encrypted to prevent anyone from using them to access your account. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. Nonetheless, as a precaution, the company is still asking users to update their master passwords and verify their account by email whenever they log in from a new device or IP address.

The service seems to be dealing with a lot of traffic following the breach. At the time of writing, trying to change the master password results in a server overload message.

Some other recommendations include enabling two-factor authentication, and if you’ve reused your master password on other websites (a big no-no when it comes to online security), you should go change those passwords now.

In a nutshell, the breach doesn’t mean hackers have full access to the passwords of every LastPass user, but if you’ve trusted them with a treasure trove of logins it’s best to make sure you’re not using a weak master password.

Thanks for the heads up. MP changed.
I got that server overload message too, but my new password still works.

Dear LastPass User,

We wanted to alert you that, recently, our team discovered and immediately blocked suspicious activity on our network. No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised.

We are confident that the encryption algorithms we use will sufficiently protect our users. To further ensure your security, we are requiring verification by email when logging in from a new device or IP address, and will be prompting users to update their master passwords.

We apologize for the inconvenience, but ultimately we believe this will better protect LastPass users. Thank you for your understanding, and for using LastPass.